Risk lessons over beer and bratwurst

I now understand that I am a security risk. I previously didn’t view myself as a risk, but a recent vacation trip proved me wrong. In fact, American travelers overseas are more and more being viewed as a risk because our credit card processing technology is insecure and behind the times.

I first learned that I was a risk when I tried to pay for a meal in Germany with a U.S.-based credit card. I was told by the proprietor that American credit cards are no longer accepted in many places in Germany – and throughout Europe – because they are insecure and lack a smart card chip. Once I got past the surprise of being reminded about security by a pub owner, I started giving some thought to the merits of the European EMV “chip-and-PIN” card system. The EMV (short for Europay, MasterCard and Visa) system replaces the insecure stripe on credit cards with a smart card chip and a four- to six-digit PIN which “unlocks” the card.

Some U.S.-based banks now issue “chip-and-PIN” cards, and one of the first things that I did when I returned from vacation was to ask for one. As a result of my trip, I re-learned something else about security. Don’t take it for granted.

When did you last validate your security controls – beyond an audit? I’m talking about the baseline assumptions. What was designed several years back was probably to the best standards of the time, but attacks have become more persistent and sophisticated. Review your strategy, your controls and your capacity to respond to a distributed denial-of-service (DDoS) attack, an advanced persistent threat (APT), or a data dump of critical business information. Will your security information and event management (SIEM) or log management solution scale under an attack, or will you lose critical security intelligence data when you need it most because your systems can’t keep up?

Raw processing capability of security platforms have increased along with the IT industry as a whole. Perhaps when your last firewall or intrusion prevention systems platform was deployed, critical options were not turned on for performance reasons or concerns about responsiveness under heavy load. That might have been the right decision at the time, but when new hardware capabilities are deployed such performance-based decisions require review.

One other risk management technique was learned on this trip. Cover the top of your glass with a coaster when you’ve had enough, or the beer keeps on flowing.

Opinions expressed are Dan Srebnick’s own and not those of his employer.